Global financial services firm Morgan Stanley has agreed to pay a $1 million penalty for failure to safeguard customer data, the U.S. Securities and Exchange Commission (SEC) said on Wednesday.

According to a statement by the SEC, the Wall Street bank violated a federal regulation – known as the “Safeguards Rule” – by failing to adopt federally required written policies and procedures reasonably designed to protect customer data.

As a result, former financial advisor Galen Marsh was able to gain access to confidential information and transfer client data from an estimated 730,000 accounts to his personal server from 2011 to 2014.

“A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities,” the SEC said.

In a separate SEC order, Marsh was barred from the industry for five years. In December, he was criminally convicted for the breach and was sentenced to three years probation, and ordered to pay $600,000 in restitution.